Working with Port Forwards

Note: This topic applies to the Leeds Release.

Typically, port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone. It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an interface, regardless of whether the interface connects to the Internet or some other network zone.

If required, you can also create port forwarding rules for requests from an internal network addresses.

For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a Demilitarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60.

Port forwards can be configured where network traffic uses the following path through the Smoothwall:

Network traffic from these



Client IP addresses

coming in on



Local IP (the interface)

using these



Services (if any)

addressed to these



Target IP address

using this



Port(s)

Note: It is important to consider the security implications of each new port forward rule. Any network is only as secure as the services exposed upon it.

Port forwards allow unknown hosts from the external network to access a particular internal host. If a hacker or cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts in the network.

For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the Network > Firewall > Firewall rules page to ensure that the target host of the port forward is contained within a suitably isolated network, that is, a DMZ scenario.